Do I Need New HIPAA Business Associate Agreements?
| Now that the Health Insurance Portability and Accountability Act omnibus regulation has been published,1 companies across the health care industry and an enormous range of service providers are struggling to meet the challenges presented by these new rules by the Sept. 23 compliance date. Some of these obligations present new challenges in interpreting what the rules mean (e.g., the new marketing and sale restrictions). Other provisions require new analysis in situations arising in the future (e.g, the breach notification provisions). Business associates in general need to evaluate how best to comply with the detailed and onerous HIPAA Security Rule. The question surrounding new business associate agreements presents a mixture of compliance obligations, risk management, and business opportunity, from the perspective of both covered entities and business associates. Business associate agreements have been around since the beginning of the HIPAA era. Because the Department of Health and Human Services had no authority to regulate anyone other than covered entities, the regulators created the idea of a business associate agreement to impose contractual obligations on the wide range of service providers to the health care industry. This was, at the time, a genius idea, to provide reasonably effective privacy protections beyond the authority provided by Congress. It imposed at least a contractual structure on the privacy and security of health care information far beyond the core requirements for covered entities. HHS did not properly appreciate, however, the time and money that would be spent negotiating hundreds of thousands of business associate agreements across the country. Fast forward to the Health Information Technology for Economic and Clinical Health Act. Now, HHS has authority to regulate business associates directly, as of the compliance date in September. Under the new rules, business associates will need to comply with many of the provisions of the HIPAA Privacy Rule, all of the HIPAA Security Rule, and the HIPAA Breach Notification provisions. So, what about the need for updated business associate agreements themselves? At a minimum, HHS clearly stated that business associate agreements still are required. Their justification for this is, frankly, limited, and not particularly persuasive. But, these agreements still are required even though the bulk of these documents (and all of the “required” elements) now will simply reiterate compliance requirements applicable by law for the business associates. So, even though there is limited rationale for these agreements, do covered entities need to have new business associate agreements in place to meet the new requirements? And do business associates want new agreements or not? While it is possible that some existing agreements will meet all relevant standards, and there is no explicit statement from HHS (as there was with privacy notices) that new business associate agreements are required, most covered entities will find both that they will need to make changes to their agreements to deal with these new changes AND that it is desirable to have new agreements that reflect these changes. (Business associates also may find reasons to want new agreements). Despite some confusion, it seems clear that the obligation to implement business associate agreements continues to rest with the covered entity (and that business associates now have specific legal obligations whether there is a business associate agreement in place or not). |
